Security Update 2012-06-04 released

The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL database system, including versions 9.1.4, 9.0.8, 8.4.12 and 8.3.19.

Users of the crypt(text, text) function with DES encryption in the optional pgcrypto module should upgrade their installations immediately. All other database administrators are urged to upgrade your version of PostgreSQL at the next scheduled downtime. More details on the security fixes are included below.

This release contains 42 fixes to version 9.1, and a smaller number of fixes to older versions, including:

Fix citext upgrade script for collations of citext arrays and domains over citext

Fixes for timezone handling

Fix text or char to name casts to perform string truncation correctly in multibyte encodings

Fix logging collector to ensure it will restart file rotation after receiving SIGHUP

Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped

Avoid synchronous replication delay when committing a transaction that only modified temporary tables

As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Perform post-update steps after the database is restarted. If you use the citext data type, and you upgraded from a previous major release by running pg_upgrade, please see the release notes for 9.1.4 for important post-upgrade steps.

This vulnerability affects PostgreSQL users who use the crypt(text, text) function (in the optional pgcrypto module) with DES encryption and non-ASCII passwords. Passwords affected are those that contain the byte value 0x80. Characters after such a byte were ignored, making the effective password shorter and easier to crack than it should be. After the upgrade, any passwords containing such bytes will need to be regenerated.

CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler

Applying such attributes to a call handler could crash the server.

All supported versions of PostgreSQL are affected. See the release notes for each version for a full list of changes with details of the fixes and steps.